Skip to main content

Setup of Single Sign-On

Haima Ambily
  • Updated

You can use Microsoft Entra ID to log into SEMINE via Single Sign-On (SSO).
The following outlines the steps required to setup SSO accurately using Microsoft Entra ID with SEMINE.

  • Select "Edit organization" in the Admin panel in Semine.

    SSO.PNG

  • Then select the Single Sign-on Setup tab.
    image (11).png
  • Enabled*: Activate Single Sign-On for the organization.
    Example: Checked to enable SSO
  • Scheme*: Unique identifier automatically generated for the SSO setup.
    Example: 3f44b0bf-e571-4214-ae70-70d6b4bebda5
  • Display Name*: Choose the display name for the login button.
    Example: Abctest!
  • Authority*:  Provided by customer’s IT department/Partner. Typically the Microsoft login URL.
    Example: https://login.microsoftonline.com/39bd492d-4ea9-4fc4-946b-b0b5951f1b5
  • Client ID (Application ID)*: Provided by customer’s IT department/Partner.
    Example: 473B0893-0400-4e3b-8fb0-3cadc5ae5c60
  • Client Secret: Provided by customer’s IT department/Partner.
  • Sign-in Scheme*: Authentication scheme used for signing in.
    Example: idsrv.external
  • Sign-out Scheme*: Authentication scheme used for signing out.
    Example: idsrv
  • Callback Path*: Unique redirect path configured in Azure AD/Entra setup.
    Example: /signin-3f44b0bf-e571-4214-ae70-70d6b4bebda5
  • Validate Issuer: Ensures tokens come from the correct issuer.
    Example: Checked
  • Get claims from userinfo endpoint: Retrieves additional user details like roles or email from the identity provider.
    Example: Checked
  • Clear default scopes: Optional. Clears preconfigured scopes if you want to define custom ones.
    Example: Unchecked
  • Disable login with SEMINE username and password: Optional. Restricts login to SSO only.
    Example: Checked if only SSO login should be allowed
  • Scopes: Additional scopes to request from the identity provider.
    Example: openid profile email
  • Domain names*: Customer’s allowed domain(s) for login.
    Example:domainName1.com, domainName2.com


Microsoft Entra ID

Typically, your IT department or operating partner, responsible for managing O365/Entra, handles these tasks.

App Registrations

Photos_HCCnFXXAF1.png
Go to Register an Application

  • Name  : SemineSSO
  • Supported Account Types  : Select:  Accounts in this organizational directory only  .
  • Redirect URI : Retrieve from the SSO tab in Semine, specifically from the Callback-Path field.


chrome_EYrLTwp7jQ.png

Overview

Semine requires the following two values, and you need to input them into the Semine interface:

  • Application (client) ID - Enter this into the field labeled Application Id
  • Directory (tenant) ID - Enter this into the field labeled TenantId / Authority


Photos_sVJNgS4Qrp.png

Certificates & Secrets

  • Click on Certificates & Secrets
  • Then on New client secret

Photos_qtJ63vlesv.png

Create a New Client Secret
 Generate a new client secret with the following details:

  • Description:  SemineSSO
  • Expires: Optional, based on the customer's preference.


Click Add

chrome_U7rdy4cPs6.png

It should now appear as follows:

Photos_pePY1MvkbB.png

Then select Token configuration

  • Click on Add optional claim
  • Token Type: Select ID and then select e-mail


chrome_MjUg0GfLKe.png


In the next dialog box, check the following and then click Add

chrome_GW4BJbmtsf.png

  • Go to Authentication
    • Check the box for Id Tokens
    • Select "Yes" on enable the following mobile and desktop flows


chrome_ic34I5qjnN.png

  • Once you've saved the values in the SSO tab for Semine, SSO will be activated by a nightly job. Please inform support@semine.no if SSO is not working the day after your SSO setup is finished, or if activation is time critical and we need to do this manually.  
  • Once confirmation of activation is received, you can sign in by clicking the button with your chosen name.

    SSO button.PNG

 

Related articles

Comments

0 comments

Article is closed for comments.